Flowint is a precursor to the Global Variables task we will be adding
to the engine very soon, which will allow the capture, storage and
comparison of data in a variable. It will be as the name implies
Global. So you can compare data from packets in unrelated streams.

Flowint allows storage and mathematical operations using variables. It
operates much like flowbits but with the addition of mathematical
capabilities and the fact that an integer can be stored and
manipulated, not just a flag set. We can use this for a number of very
useful things, such as counting occurrences, adding or subtracting
occurrences, or doing thresholding within a stream in relation to
multiple factors. This will be expanded to a global context very soon,
so users can perform these operations between streams.

The syntax is as follows:

flowint: , ;

Define a var (not required), or check that one is set or not set.

flowint: , , ;

flowint: , < +,-,=,>,<,>=,<=,==, != >, ;

Compare or alter a var. Add, subtract, compare greater than or less
than, greater than or equal to, and less than or equal to are
available. The item to compare with can be an integer or another
variable.

For example, if you want to count how many times a username is seen in
a particular stream and alert if it is over 5.

This will count each occurrence and increment the var usernamecount
and not generate an alert for each.

Now say we want to generate an alert if there are more than five hits
in the stream.

alerttcpanyany->anyany(msg:"More than Five Usernames!";content:"jonkman"; \
flowint:usernamecount,+,1;flowint:usernamecount,>,5;)

So we’ll get an alert ONLY if usernamecount is over five.

So now let’s say we want to get an alert as above but NOT if there
have been more occurrences of that username logging out. Assuming this
particular protocol indicates a log out with “jonkman logout”, let’s
try:

So now we’ll get an alert ONLY if there are more than five active
logins for this particular username.

This is a rather simplistic example, but I believe it shows the power
of what such a simple function can do for rule writing. I see a lot of
applications in things like login tracking, IRC state machines,
malware tracking, and brute force login detection.

Let’s say we’re tracking a protocol that normally allows five login
fails per connection, but we have vulnerability where an attacker can
continue to login after that five attempts and we need to know about
it.